Tag Archives: ipsec

Using Route Based VPNs to Make Hairpinning More Logical

Last week we looked at the challenges of combining VPN and NAT on the same device while hairpinning VPN traffic back out to the Internet. That created some interesting challenges with NAT that required some duct tape and band-aids to … Continue reading

Posted in Network, Security, Technology | Tagged , , , | 13 Comments

Hairpinning Internet and VPN Traffic in Cisco IOS with NAT

This week I wanted to address a concept that comes up occasionally. This is the concept of hair-pinning Internet traffic through a VPN. For this particular case study, we will use an IOS based Cisco router to terminate both ends … Continue reading

Posted in Network, Security, Technology | Tagged , , , , , | 21 Comments

Old School Method of IOS Static NAT Exemption

Last week, I wrote an article that demonstrated the challenges of static NAT when combined with VPNs using RFC1918 address space. We created exemptions using route-maps within the static nat statements. Cisco didn’t introduce route-maps for static translations until 12.2(4)T. … Continue reading

Posted in Network, Security | Tagged , , , , , , , | 1 Comment

Exempting Static Translations in IOS NAT

Last week I wrote an article that defined the need for NAT exemption. This article used the example of a single device that terminated a VPN to a network that used the RFC1918 private address on the remote side. Additionally, … Continue reading

Posted in Network, Security | Tagged , , , , , , , | 3 Comments

Defining the Need for NAT Exemption

It recently occurred to me that we have often discussed various configurations of NAT exemption. However, we have never really discussed the typical need or use case for requiring this type of configuration. This article is meant as a general … Continue reading

Posted in CCIE Security, CCNA Security, Certification, Network, Security, Technology | Tagged , , , , , , | 4 Comments

Multiple Protocols over IPSec

Last week we examined a Cisco VPN construct called SVTI. This is basically using a “tunnel interface” in conjunction with an IPSec Protection profile. One of the limitations I mentioned was that, in comparison to GRE based tunnel interfaces, VTI … Continue reading

Posted in CCIE Security, Certification, Network, Security, Technology | Tagged , , , , | 4 Comments

Avantages of Using SVTI Based VPNs

Starting in version 12.3T (which is some time ago), Cisco started offering an alternative for configuring IOS based VPN’s. This method is called SVTI, or static virtual tunnel interfaces. SVTI is one category of VTI that is basically a configuration … Continue reading

Posted in CCIE Security, Certification, Network, Security, Technology | Tagged , , , , | 9 Comments

Protecting Insecure Protocols

Last week I wrote an article that demonstrated the grievous security oversight in the Telnet protocol. Telnet, being a clear text protocol, exposes the entire contents of any session to anyone who can gain access to the traffic. Telnet is … Continue reading

Posted in Network, Security, Technology | Tagged , , , , | Leave a comment

ASA DSCP Preservation with IPSec

Cisco documents a feature called “DSCP Preservation” in regards to ToS Byte handling on the ASA. This basically means that the ToS Byte is left in tact as packets flow through the firewall. But what happens to the ToS Byte … Continue reading

Posted in CCIE Security, Certification, Network, Security, Technology | Tagged , , , | 1 Comment

Migrating ASA NAT Exemption Configuration

NAT exemptions are often required when a single ASA appliance is performing NAT and terminating VPN connections.  In ASA configurations prior to 8.3 and 8.4, NAT exemptions were configured with “nat 0 access-list <acl name>” and a related access-list.

Posted in CCIE Security, Certification, Security, Technology | Tagged , , , , , , , | 7 Comments

ASA L2L VPN Spoke to Spoke Communication

It seems like some of the more challenging things to do on an ASA involve some sort of traffic being redirected out the same interface it was received on. This article addresses the requirement for spoke to hub to spoke … Continue reading

Posted in CCIE Security, Certification, Security, Technology | Tagged , , , , , | 34 Comments

ASA VPN with Address Overlap

More and more, the Internet is being used as a connection to business partners. Typically this requires building an IPSec Tunnel between two VPN capable endpoints. For me the device of choice is the Cisco ASA. Since we are connecting to a business … Continue reading

Posted in Network, Security, Technology | Tagged , , , , , | 42 Comments